I've upgraded one of my firewalls to 4.7 and have revised a few of the 'rdr pass' rules to reflect the syntax changes introduced in 4.7, but I'm not quite understanding why or when it would be appropriate to use match over pass in port redirection. Could someone enlighten me a bit? I've read the pf.conf man page but do better with practical examples when it comes to understanding concepts.

Also, I've read through the pf FAQ and man page trying to find out more about the inet declaration in the rules. I understand this is an address family, but the docs don't speak of it (that I can find) beyond that. In the pf FAQ I see example rules using it and others not in spite of these rules looking very similar, but don't understand why. Oops, the post title should have read "proto vs inet proto".

match is used when you want a rule to match but do not necessarily want either a pass or a block to apply right then and there, you will either already have it (such as a pass all) or will apply a pass rule if applicable later.You can use a label with it for use in later policy based filtering rules, too. Commonly used for NAT rules, port redirection rules, or tagged base policy filtering.

The inet family is one of two families supported by pf. The other is inet6. The purpose is so that you can have different rules apply to IPv4 and IPv6, if necessary. Commonly used when tunnelling IPv6 under IPv4, or IPv4 under IPv6.

match is used when you want a rule to match but do not necessarily want either a pass or a block to apply right then and there, you will either already have it (such as a pass all) or will apply a pass rule if applicable later.You can use a label with it for use in later policy based filtering rules, too. Commonly used for NAT rules, port redirection rules, or tagged base policy filtering.

Thanks, that makes sense.

Quote:

Originally Posted by jggimi

The inet family is one of two families supported by pf. The other is inet6. The purpose is so that you can have different rules apply to IPv4 and IPv6, if necessary. Commonly used when tunnelling IPv6 under IPv4, or IPv4 under IPv6.

So by specifying proto without inet, it includes inet and inet6. But by specifying inet you are excluding inet6 and vice versa?